b' Evaluation of the SEC Encryption\n Program\n\n\n\n\n                                REDACTED PUBLIC VERSION\n                                                          March 26, 2010\n                                                          Report No. 476\nPrepared by C5i Federal, Inc.\n\x0c                                                    UNITED STATES\n                                   SECURITIES AND EXCHANGE COMMISSION\n                                               WASHINGTON, D.C.     20S49\n\n      O .... lc:E 0 ..\nlH.,.EC:TOR GEHIi:llIAL\n\n\n                                             MEMORANDUM\n                                                    March 26, 2010\n\n              To:                Charles Boucher, Director, Office of Information Technology\n              From:              H. David Kotz, Inspector General, Office of Inspector General (OIG >f!  OJ.;-\n              Subject:           Evaluation of the SEC Encryption Program, Report No. 476\n\n              This memorandum transmits the U.S. Securities and Exchange Commission,\n              OIG\'s final report detailing the results of our evaluation of the Commission\'s\n              encryption program.                                                         .\n\n              Based on the written comments that were received and our assessment of the\n              comments, we revised the report accordingly. This report contains three\n              recommendations. The Office of Information Technology (OIT) did not concur\n              with recommendations 1 and 2 and concurred with recommendation 3. The OIT\'s\n              full comments to this report are included in the appendices.\n\n              Within the next 45 days. please provide OIG with a written corrective action plan\n              that is designed to address the recommendations. The corrective action plan\n              should include information such as the responsible official/point of contact, time\n              frames for completing the required actions, milestone dates identifying how you\n              will address the recommendations cited in this report, etc.\n\n             Should you have any questions regarding this report, please do not hesitate to\n             contact me. We appreciate the courtesy and cooperation that you and your staff\n             extended to our contractor and auditor.\n\n             Attachment\n\n\n\n             cc:          Kayla J. Gillan, Deputy Chief of Staff, Office of the Chairman\n                          Diego Ruiz, Executive Director, Office of the Executive Director\n                          Lewis W. Walker, Deputy Director and Chief Technology Officer, Office of\n                            Information Technology\n                          Todd Scharf, Chief Information Security Officer, Office of Information\n                            Technology\n\n\n\n\n                Evaluation of the SEC Encryption Program                                March 26, 2010\n                Report No. 476\n                                                           Page i\n\x0cEvaluation of the SEC Encryption Program\n\n                           Executive Summary\nIn August 2009, the U.S. Securities and Exchange Commission (SEC or\nCommission), Office of Inspector General (OIG), contracted with C5i Federal,\nInc. (C5i) to assist with the completion and coordination of the OIG\xe2\x80\x99s input to the\nCommission\xe2\x80\x99s response to Office of Management and Budget (OMB)\nMemorandum M-09-29. OMB Memorandum M-09-29 provides instructions and a\ntemplate for meeting the fiscal year 2009 reporting requirements under the\nFederal Information Security Management Act of 2002 (FISMA), Title III, Pub. L.\nNo. 107-347. C5i\xe2\x80\x99s principal tasks included completing the OIG\xe2\x80\x99s portion of the\ntemplate and reporting the results in an executive report. In addition to\ncoordinating the OIG response to OMB, we also examined the Commission\xe2\x80\x99s\nimplementation of the encryption program and privacy processes and\ntechnologies.\n\nC5i commenced its FISMA work for the OIG in September 2009, when the final\nFISMA questionnaires were promulgated by OMB. C5i completed the OIG\xe2\x80\x99s\nportion of the FISMA reporting template (Section C) and conducted an evaluation\nof the SEC\xe2\x80\x99s encryption program. This report documents the results of C5i\xe2\x80\x99s\nevaluation of the Commission\xe2\x80\x99s encryption program.\n\nOverall, we found that the SEC has a comprehensive encryption program.\nHowever, we identified two findings related to mobile devices and portable media\nthat the Office of Information Technology (OIT) should address as follows:\n\n   \xe2\x80\xa2   Mobile devices such as |||||||||||||||||||||| have not been properly encrypted\n       throughout the SEC headquarters divisions/offices and regional offices.\n\n   \xe2\x80\xa2   OIT has not implemented policy requiring the encryption of portable media\n       for all Commission headquarters divisions/offices and regional offices.\n\nOIT should take steps to ensure the rollout of new ||||||||||||||||||| handheld devices\nwith forced encryption is completed on schedule. Until the rollout is complete,\nthe SEC runs the risk of confidential or privacy-protected information being\nexposed. Further, OIT\xe2\x80\x99s current policy for encryption is optional, and two\nregional offices do not require its personnel to encrypt data that is copied to or\ncontained on portable media. We determined that the current policy should be\nrevised to require all removable media to be encrypted. Allowing this policy to be\noptional exposes the SEC to potential breaches in Personally Identifying\nInformation (PII) and sensitive data leakage/loss. The best way to protect the\nCommission\xe2\x80\x99s data is to ensure it is encrypted.\n\n\nEvaluation of the SEC Encryption Program                                  March 26, 2010\nReport No. 476\n                                           Page ii\n\x0cObjective. The objective of this evaluation was to examine the SEC\xe2\x80\x99s\nimplementation of encryption technologies and processes.\n\nRecommendations. The OIT should revise its policy and require all portable\nmedia to be encrypted. Allowing the policy to be optional exposes the\nCommission to potential breaches in PII and sensitive data leakage/loss. The\nonly way to protect the data is to encrypt all the data. The protection of data\ncannot be optional. Therefore, OIT should eliminate the option for offices to\ndetermine whether or not they will encrypt portable media such as thumb drives,\nCD/DVDs, etc. Finally, in the future, OIT should encrypt all PDA/|||||||||||||||||||\n|||||||||||||| to ensure the protection of any confidential/proprietary/privacy\ninformation that may be contained on these devices.\n\n\n\n\nEvaluation of the SEC Encryption Program                               March 26, 2010\nReport No. 476\n                                           Page iii\n\x0cTABLE OF CONTENTS\n\nExecutive Summary ................................................................................................ ii\n\nTable of Contents ................................................................................................... iv\n\nResults and Recommendations............................................................................. 1\n     Background ........................................................................................................ 1\n     Results ............................................................................................................... 1\n     Recommendation 1 ............................................................................................ 3\n     Recommendation 2 ............................................................................................ 4\n     Recommendation 3 ............................................................................................ 5\n\nAppendices\n    Appendix I: Acronyms. ...................................................................................... 6\n    Appendix II: Scope and Methodology................................................................. 7\n    Appendix III Criteria............................................................................................ 9\n    Appendix IV: List of Recommendations ........................................................... 12\n    Appendix V: Management Comments.............................................................. 13\n    Appendix VI: OIG Response to Management\xe2\x80\x99s Comments ............................. 14\n\n\n\n\nEvaluation of the SEC Encryption Program                                                           March 26, 2010\nReport No. 476\n                                                     Page iv\n\x0c               Results and Recommendations\n\nBackground\nEncryption is the process of transforming information (referred to as plaintext)\nusing an algorithm (called cipher) to make it unreadable to anyone except those\npossessing special knowledge, usually referred to as a key. The result of the\nprocess is encrypted information (referred to as ciphertext). The reverse process\nof encryption is called decryption; information is decrypted to make the encrypted\ninformation readable again (i.e., to make it unencrypted).\n\nEncryption has long been used by the military and governments to facilitate\nsecret communication, but is now commonly used in protecting information in\ncivilian systems and in the private sector. Encryption may be used to protect\ndata "at rest" (e.g., files on computers, portable media 1 and storage devices), as\nwell as data in transit (e.g., e-mail). Encrypting data at rest helps protect it in the\nevent physical security measures fail.\n\nAs is true with password strength \xe2\x80\x93 the more complex the password, the more\ndifficult to guess \xe2\x80\x93 the stronger the encryption, the safer the data.\n\nForced encryption is the best posture for any organization to take, as it removes\nthe element of human error. All laptops, e-mail, and portable media should be\nencrypted to ensure that confidential/sensitive data is not compromised, and staff\nshould always ensure that any data that is being copied to portable media be\nencrypted.\n\nResults\nAs part of the fiscal year (FY) 2009 Federal Information Security Management\nAct (FISMA) evaluation of the SEC, C5i Federal, Inc. (C5i) conducted an\nevaluation of the U.S. Securities and Exchange Commission (SEC or\nCommission) encryption program. C5i conducted interviews with Office of\nInformation Technology (OIT) personnel, reviewed policies and procedures, and\nanalyzed documents and documentation pertaining to the products the SEC uses\nfor encryption. To formulate the OIG response to the OMB questionnaire and to\nsupport the findings in connection with this evaluation, we reviewed incidents that\n1\n Portable media is a device that is capable of storing and playing digital media.\nEvaluation of the SEC Encryption Program                                            March 26, 2010\nReport No. 476\n                                             Page 1\n\x0coccurred within the Commission involving the loss of unencrypted data and\nunencrypted portable media.\n\nWe found the SEC has developed and implemented the policies and procedures\nsurrounding encryption technology and processes. The Draft SEC Encryption\npolicy encompasses the recommendations and best practices of National\nInstitute of Standards and Technology (NIST) 800-53, Recommended Security\nControls for Federal Information Systems, the Office of Management and Budget\n(OMB) M-06-16, Protection of Sensitive Agency Information, OMB M-07-16,\nSafeguarding Against and Responding to the Breach of Personally Identifiable\nInformation, and SEC Regulation (SECR) 23-2a, Safeguarding Non-Public\nInformation.\n\nAll tools either currently being used or being considered for use by the SEC for\nthe purposes of encryption must be compliant with Federal Information\nProcessing Standards (FIPS) 140-2 and FIPS 200. What follows is a description\nof the encryption tools currently being used by the SEC.\n\n   \xe2\x80\xa2   |||||||||||||||||| ||||| |||||| is used for encryption of SEC workstations (desktops\n       and laptops), and is also used for encryption of portable media (USB\n       devices, CDs, etc.). ||||||||||||||| ||||| |||||| has enforceable mandatory access\n       control and strong encryption. User credentials and confidential data\n       remain private. It enables the SEC to enforce its security policy, while\n       providing a security solution that is easy for employees to use and does\n       not adversely affect equipment performance. However, the encryption\n       policy for portable media is not followed agency-wide. Additional details\n       about the portable media encryption can be found in the findings section\n       of this document.\n\n   \xe2\x80\xa2   E-mail in transit is encrypted using ||||||||||||||| This is an appliance that sits\n       on the edge of the network and inspects all outbound e-mail messages to\n       ensure they comply with SEC policies. It provides full-content scanning of\n       the message body and attachments, and can encrypt, route, block or\n       brand outbound e-mail based on customization by the OIT.\n\n   \xe2\x80\xa2   ||||||||||||||||||| \xe2\x80\x93 the SEC uses the vendor recommended/provided software\n       for encryption of ||||||||||||||||||| ||||||||||||||. Data in transit between the\n       ||||||||||||||||||| ||||||||||| and ||||||| |||||||||||||||||| ||| ||||||||||||| is encrypted; however,\n       not all of the handheld devices are encrypted. Additional details regarding\n       ||||||||||||||||||| encryption can be found in the findings section of this\n       document.\n\nOverall, the SEC has a comprehensive encryption program that uses best in\nbreed technologies and employs industry best practices to safeguard\nCommissions information. However, there are some areas of concern, which are\ndiscussed in detail below.\nEvaluation of the SEC Encryption Program                                                    March 26, 2010\nReport No. 476\n                                                 Page 2\n\x0cEncryption of Portable Media\n\nIn September 2008, the OIT Chief Technology Officer sent a memorandum to\nSEC Division/Office Directors and Regional Directors, outlining the SEC\xe2\x80\x99s\nportable media encryption requirements. The memorandum provided Directors\nwith two options for encryption as follows:\n\n         (1) Configuration 1: Automatically encrypts data stored on portable media\n             when the media is connected to SEC owned equipment; or\n         (2) Configuration 2: Gives SEC personnel the option of storing data on\n             portable media without encrypting the data when the media is\n             connected to SEC-owned equipment, if the user determines the stored\n             data does not include non-public data or Personally Identifiable\n             Information (PII).\n\nPortable media includes, but is not limited to, USB drives, readable and/or\nwriteable CDs, DVDs, and external hard drives. All SEC Directors elected to\nadopt Configuration 1, except two regional offices that opted to adopt\nConfiguration 2. Configuration 2 essentially relies on the individual\xe2\x80\x99s judgment\nwhether or not to encrypt data that is copied to or contained on portable media.\n\nAn encryption program cannot be optional in order for it to be effective. Human\nerror is a significant contributor to security incidents and allowing encryption to be\noptional greatly increases the likelihood that data is compromised. While people\nare usually very familiar with documents on their computers, we believe that it is\nnot possible for most people to remember for certain the information that is\ncontained in a particular document. We found that the Division/Offices are given\nthe option of whether they would like to encrypt their portable media. In our view,\nallowing SEC Division/Offices the option to encrypt removable media could result\nin the loss or exposure of sensitive date and/or PII. For example, in 2009 there\nwere two incidents where information stored on portable media was lost. In\nIncident 138, an external device was lost that had PII stored on it. In Incident\n143, a |||||||||| USB drive was lost. Although ||||||||||s are not necessarily\nconsidered writable media, 2 because SEC personnel use them to attain remote\naccess to their desktops, the incident report indicates they have a writable\npartition that is not encrypted.\n\nThe only way to protect the data is to encrypt all the data. Allowing the policy to\nbe optional exposes the Commission to potential breaches in PII and sensitive\ndata leakage/loss. Therefore, we recommend that OIT require all portable media\nbe encrypted. Implementing this recommendation will eliminate the option given\nto offices to select whether or not they want to encrypt portable media, because\nthe protection of data cannot be optional.\n\n2\n NIST defines writeable media as information system media that includes both digital media (e.g., diskettes,\nmagnetic tapes, external/removable hard drives, flash/thumb drives, compact disks, digital video disks) and\nnon-digital media (e.g., paper, microfilm).\nEvaluation of the SEC Encryption Program                                                   March 26, 2010\nReport No. 476\n                                                 Page 3\n\x0c        Recommendation 1:\n\n        The Office of Information Technology should revise its policy and require\n        \xe2\x80\x9call\xe2\x80\x9d portable media be encrypted.\n\n        Management Comments. Nonconcur. See Appendix V for\n        management\xe2\x80\x99s full comments.\n\n        OIG Analysis. OIG disagrees with the opt-out option in the policy that\n        allows division and office heads the ability to determine whether or not to\n        encrypt data on portable media because encryption is a necessary\n        strategy for managing the risk associated with utilizing portable media.\n        We would request that OIT reconsider its position. See Appendix VI for\n        the OIG\xe2\x80\x99s full response to management\xe2\x80\x99s comments.\n\n        Recommendation 2:\n\n        Office of Information Technology should eliminate the option for divisions\n        and offices to determine whether or not they will encrypt portable media\n        such as thumb drives, CD/DVDs, etc.\n\n        Management Comments. Nonconcur. See Appendix V for\n        management\xe2\x80\x99s full comments.\n\n        OIG Analysis. As indicated in Recommendation 1, OIG disagrees with\n        the option of allowing division and office heads the ability to determine\n        whether on not to encrypt data on portable media because encryption is a\n        necessary strategy for managing the risk associated with utilizing portable\n        media. We would request that OIT reconsider its position. See Appendix\n        VI for the OIG\xe2\x80\x99s full response to management\xe2\x80\x99s comments.\n\n\nEncryption of Handheld Devices |||||||||||||||||||||\n\nAs part of our review of the encryption program, we addressed the encryption of\nhandheld devices. While we found that data in transit between the enterprise\nserver and the ||||||| ||||||||||| is encrypted, the encryption of ||||||||||||||||||| |||||||||||||| is\nnot enforced.\n\n||||||||||||||||||||||, as well as other personal digital assistant (PDA) handheld devices,\ncontain a huge amount of information such as e-mail, e-mail addresses, e-mail\nattachments, and user information. Unencrypted PDA devices can cause a\nsignificant security impact if they are lost or stolen, because sensitive and/or\nconfidential information on these devices can be exposed if they are not\nencrypted, which could bring possible damage to the Commission if non-public\ninformation is disclosed to the public.\n\nEvaluation of the SEC Encryption Program                                                March 26, 2010\nReport No. 476\n                                                Page 4\n\x0cWe found in 2009 the SEC had 15 security incidents involving lost or stolen\n||||||||||||||||||| |||||||||||||| that were not encrypted. For example, in June 2009 a\nsecurity incident occurred when a stolen, unencrypted ||||||||||||||||||| was used to\nsend a spoofed e-mail to the SEC Chairman, members of the press, and other\nmedia communities.\n\nIn July 2009, the SEC began replacing its ||||||||||||||||||| |||||||||||||| with updated\ndevices with forced encryption that cannot be circumvented or disabled. As of\nOctober 15, 2009, 638 of 1,192 ||||||||||||||||||||| had been replaced. OIT informed\nus that by the end of December 2009, it planned to replace all |||||||||||||||||||\n|||||||||||||| with encryption that cannot be circumvented or disabled. However, we\nhave not received any documentation to confirm whether all ||||||||||||||||||| ||||||||||||||\nwere replaced and have the needed encryption. We recommend that in the\nfuture, all devices are encrypted.\n\n       Recommendation 3:\n\n       In the future, the Office of Information Technology should encrypt all\n       PDA/||||||||||||||||||| |||||||||||||| to ensure the protection of\n       confidential/proprietary/privacy information that may be contained on the\n       devices.\n\n       Management Comments. Concur. See Appendix V for management\xe2\x80\x99s\n       full comments.\n\n       OIG Analysis. We are pleased that OIT has concurred with this\n       recommendation.\n\n\n\n\nEvaluation of the SEC Encryption Program                                       March 26, 2010\nReport No. 476\n                                           Page 5\n\x0c                                                                        Appendix I\n\n                                    Acronyms\n\n        CSIRT                     Computer Security Incident Response Team\n        FIPS                      Federal Information Processing Standards\n        FISMA                     Federal Information Systems Management Act\n        NIST                      National Institute of Standards and Technology\n        OIG                       Office of the Inspector General\n        OIT                       Office of Information Technology\n        OMB                       Office of Management and Budget\n        PII                       Personally Identifying Information\n        SEC or Commission Securities and Exchange Commission\n\n\n\n\nEvaluation of the SEC Encryption Program                               March 26, 2010\nReport No. 476\n                                           Page 6\n\x0c                                                                     Appendix II\n\n\n                          Scope and Methodology\n\nThis evaluation was not conducted in accordance with government auditing\nstandards.\n\nScope. The scope of this evaluation covers fiscal years 2008 through 2009.\n\nMethodology. To meet the evaluation objectives to examine the SEC\xe2\x80\x99s\nimplementation of encryption technologies and processes, C5i conducted\ninterviews with key personnel, made independent observations, reviewed\nestablished polices, and obtained and examined supporting documentation.\nInterviews with key personnel included systems owners, business line managers,\nOIT representatives, and OIG personnel. The personnel were interviewed\nregarding the issues germane to completing the evaluation of the SEC encryption\nprogram. Interview discussion areas included:\n\n    \xe2\x80\xa2   SEC encryption polices and procedures;\n    \xe2\x80\xa2   Encryption of computers \xe2\x80\x93 desktop, laptops, handheld devices such as\n        Blackberries, and portable/removable media; and\n    \xe2\x80\xa2   Incidents involving unencrypted portable media.\n\nSupport documents SEC officials provided included system artifacts and\ndocumentation relating to the various SEC systems and issues that were\nidentified.\n\nInternal Controls. We reviewed the existing controls that were considered\nsignificant for FISMA and within the context of the encryption program and our\nobjectives.\n\nPrior Audit Coverage. We conducted an assessment of the Commission\xe2\x80\x99s\nFISMA program in 2008. The review looked at the FISMA major security areas\nas well as performed an assessment of two of the Agencies information systems;\nthe Complaints/Tips/Referrals, and the Office of Compliance Inspections and\nExaminations, Adviser Surveillance Intelligence System applications. The report\ncontained three recommendations and revealed that there were no significant\nissues with the systems however we found some problems with the overall\nsecurity program as it related to the Commission completing security control and\ncontingency testing for some systems. We also identified a problem with the\nCommission\xe2\x80\x99s implementation of the requirements for Federal Core Desktop\nConfiguration.\n\n\n\nEvaluation of the SEC Encryption Program                             March 26, 2010\nReport No. 476\n                                           Page 7\n\x0c                                                                     Appendix III\n\n\n                                       Criteria\n\nOMB Memorandum M-09-29, Reporting Instructions for the Federal Information\nSecurity Management Act and Agency Privacy Management. This memorandum\nprovides instructions for meeting agency FY 2009 reporting requirements under\nthe Federal Information Security Management Act of 2002, Title III, Pub. L. No.\n107-347. It also includes reporting instructions for agency privacy management\nprograms.\n\nOMB Memorandum M-07-16, Safeguarding Against and Responding to the\nBreach of Personally Identifiable Information (May 22, 2007). This memorandum\nrequires agencies to develop and implement a breach5 notification policy. This is\na responsibility shared by officials accountable for administering operational and\nprivacy and security programs, legal counsel, Agencies\xe2\x80\x99 Inspectors General and\nother law enforcement, and public and legislative affairs. It is also a function of\napplicable laws, such as the Federal Information Security Management Act of\n2002, 2 and the Privacy Act of 1974.\n\nOMB Memorandum M-06-19, Reporting Incidents Involving Personally\nIdentifiable Information and Incorporating the Cost for Security in Agency\nInformation Technology Investments (July 12, 2006). This memorandum provides\nupdated guidance on the reporting of security incidents involving personally\nidentifiable information and to remind you of existing requirements, and explain\nnew requirements your agency will need to provide addressing security and\nprivacy in your fiscal year 2009 budget submissions for information technology.\n\nOMB Memorandum M-06-16, Protection of Sensitive Agency Information (June\n23, 2006). This memorandum recommends a number of actions necessary to\nprotect sensitive information.\n\nOMB Memorandum M-06-15, Safeguarding Personally Identifiable Information\n(May 22, 2006). This memorandum reemphasizes agency responsibilities under\nlaw and policy to appropriately safeguard sensitive personally identifiable\ninformation and to train employees on their responsibilities.\n\nOMB Memorandum M-03-22, Guidance for Implementing Privacy Provisions of\nthe E-Government Act of 2002 (September 30, 2003). This memorandum\nprovides information to agencies on implementing the privacy provisions of the E-\nGovernment Act of 2002, which was signed by the President on December 17,\n2002 and became effective on April 17, 2003.\n\n\n\nEvaluation of the SEC Encryption Program                             March 26, 2010\nReport No. 476\n                                           Page 8\n\x0c                                                                      Appendix III\n\nNIST SP 800-72, Guidelines on PDA Forensics. This guide provides an in-depth\nlook into PDAs and explaining the technologies involved and their relationship to\nforensic procedures. It covers three families of devices \xe2\x80\x93 Pocket PC, Palm OS,\nand Linux-based PDAs \xe2\x80\x93 and the characteristics of their associated operating\nsystem.\n\nNIST SP 800-83, Guide to Malware Incident Prevention and Handling. This\npublication provides recommendations for improving an organizations malware\nincident prevention measures. It also gives extensive recommendations for\nenhancing an organizations existing incident response capability so that it is\nbetter prepared to handle malware incidents, particularly widespread ones. The\nrecommendations address several major forms of malware, including viruses,\nworms, Trojan horses, malicious mobile code, blended attacks, spyware tracking\ncookies, and attacker tools such as backdoors and rootkits. The\nrecommendations encompass various transmission mechanisms, including\nnetwork services (e.g., e-mail, Web browsing, file sharing) and removable media.\n\nNIST SP 800-86, Guide to Integrating Forensic Techniques into Incident\nResponse. This guide provides detailed information on establishing a forensic\ncapability, including the development of policies and procedures. Its focus is\nprimarily on using forensic techniques to assist with computer security incident\nresponse, but much of the material is also applicable to other situations.\n\nNIST SP 800-101, Guidelines on Cell Phone Forensics. The objective of the\nguide is twofold: to help organizations evolve appropriate policies and\nprocedures for dealing with cell phones, and to prepare forensic specialists to\ncontend with new circumstances involving cell phones, when they arise.\n\nCMU/SEI-2003-HB-001, Organizational Models For Computer Security Incident\nResponse Teams. This handbook describes different organizational models for\nimplementing incident handling capabilities, including each model\xe2\x80\x99s advantages\nand disadvantages and the kinds of incident management services that best fit\nwith it. An earlier SEI publication, the Handbook for Computer Security Incident\nResponse Teams (CSIRT) (CMU/SEI-2003-HB-002), provided the baselines for\nestablishing incident response capabilities.\n\nCMU/SEI-20030TR-001, State of the Practice of Computer Security Incident\nResponse Teams (CSIRT). This report provides an objective study of the state\nof the practice of incident response, based on information about how CSIRTs\naround the world are operating. It covers CSIRT services, projects, processes,\nstructures, and literature, as well as training, legal, and operational issues.\n\n\n\n\nEvaluation of the SEC Encryption Program                             March 26, 2010\nReport No. 476\n                                           Page 9\n\x0c                                                                       Appendix III\n\nCMU/SEI-2003-HB-002, Handbook for Computer Security Incident Response\nTeams. This report proposes an intrusion-aware design model called trustworthy\nrefinement through intrusion-aware design (TRIAD). TRIAD helps information\nsystem decision makers formulate and maintain a coherent, justifiable, and\naffordable survivability strategy that addresses mission-compromising threats for\ntheir organization.\n\nCMU/SEI-2004-TR-015, Defining Incident Management Processes for CSIRTs.\nThis report presents a prototype best practice model for performing incident\nmanagement processes and functions. It defines the model through five high-\nlevel incident management processes: Prepare/Sustain/Improve, Protect\nInfrastructure, Detect Events, Triage Events, and Respond. Workflow diagrams\nand descriptions are provided for each of these processes.\n\nCMU/SEI-2005-HB-001, First Responders Guide to Computer Forensics. This\nhandbook is for technical staff members charged with administering and securing\ninformation systems and networks. It targets a critical training gap in the fields of\ninformation security, computer forensics, and incident response: performing basic\nforensic data collection.\n\nSAND98-8667, A Common Language for Computer Security Incidents. This\npaper presents the results of a project to develop a common language for\ncomputer security incidents. This project results from cooperation between the\nSecurity and Networking Research Group at the Sandia National Laboratories,\nLivermore, CA, and the CERT\xc2\xae Coordination Center at Carnegie Mellon\nUniversity, Pittsburgh, PA.\n\n\n\n\nEvaluation of the SEC Encryption Program                               March 26, 2010\nReport No. 476\n                                           Page 10\n\x0c                                                                      Appendix IV\n\n\n                      List of Recommendations\n\nRecommendation 1:\n\nThe Office of Information Technology should revise its policy and require that \xe2\x80\x9call\xe2\x80\x9d\nportable media be encrypted.\n\nRecommendation 2:\n\nOffice of Information Technology should eliminate the option for divisions and\noffices to select whether or not they will encrypt portable media, i.e., thumb\ndrives, CD/DVDs, etc.\n\nRecommendation 3:\n\nIn the future, the Office of Information Technology should encrypt all\nPDA/||||||||||||||||||| |||||||||||||| to ensure the protection of\nconfidential/proprietary/privacy information that may be contained on the devices.\n\n\n\n\nEvaluation of the SEC Encryption Program                              March 26, 2010\nReport No. 476\n                                           Page 11\n\x0c                                                                                Appendix V\n\n\n                                  Management Comments\n\n\n\n\n                                                   Memorandum\n\nDate:            March 11,2010\n\nTo:              David Kotz, Inspector General. OIG\n                 Jacqueline Wilson, Assistant Inspector General, O ~~\n\nFrom:            Charles Boucher. Chief Information Officer. OIT (----"--. (\'.({""ctA-@--\n\nSubject:         Management Response to OIG Report 476, Evaluation of the SEC Encryption\n                 Program                             -\n\n\nThank you for the opportunity to comment on the recommendations in the draft "Evaluation of\nthe SEC Encryption Program" report. The Office of Information Technology (OIT) takes\nseriously our obligation to properly safeguard the SEC\'s information technology assets. The\nprotection of sensitive non-public data and Personally Identifiable Information (PI I) is of the\nutmost importance and the OIT has implemented strong measures to ensure the safekeeping\nof such data. These measures include:\n\n        \xe2\x80\xa2   Encrypting the hard drive of all SEC laptop computers,\n        \xe2\x80\xa2   Encrypting all SEC Blackberry PDA devices.\n        \xe2\x80\xa2   Equipping all SEC workstations with encryption software to allow for the encryption\n            of data placed on portable media from an SEC workstation,\n        \xe2\x80\xa2   Implementing an Encryption Policy that requires all sensitive non-public or PII data\n            be encrypted,\n        \xe2\x80\xa2   Providing annual privacy and security training which covers the responsibilities SEC\n            staff have regarding the protection of sensitive non-public data and PII. and\n        \xe2\x80\xa2   Sending out periodic reminders to all SEC staff on their responsibilities regarding\n            safeguarding data.\n\nThe encryption policy of the SEC is that all sensitive non-public or PII data must be encrypted.\nTo ensure that all employees can comply with this policy. encryption software has been\ninstalled on all SEC workstations.  Our policy is consistent with the Office of Management and\nBudget (OMB) memorandum M-06-16. which recommends that departments and agencies\nencrypt all data on mobile computer/devices which carry agency data, unless the data is\ndetermined to be non-sensitive.\n\nThe SEC\'s encryption policy also provides that each division or office head within the SEC will\ndetermine which of two implementation methods to employ for all employees within the\ndivision or office. If the division or office chooses a "mandatory" method, then the encryption\nsoftware will always automatically encrypt all portable media that has data placed on it from\nany SEC Workstation within the division or office. If the division or office chooses an "optional"\nmethod, then the encryption software will instead provide the user with a prompt that 1)\n\n                                                       1\n\n\n\n\n        Evaluation of the SEC Encryption Program                                 March 26, 2010\n        Report No. 476\n                                                     Page 12\n\x0c                                                                                    Appendix V\n\n\n\n\nreminds the user that all sensitive non-public or PII data must be encrypted when placed on\nportable media and 2) allows them to determine and select whether the data being placed on\nthe portable media requires encryption. Additionally, when the portable media is encrypted\n(e.g. if any data reqUires encryption), then all data on that portable media is encrypted.\nTherefore. non-sensitive data on the same media as sensitive data would be encrypted.\n\nOur policy reflects the necessity to balance the needs of the business with appropriate\nsafeguarding measures, and recognizes that different divisions and offices within the agency\nuse portable media differently. Allowing SEC leadership to choose which implementation\nmethod best addresses the type of data their staff are handling allows for a more efficient and\neffective business operation. For example, we understand that some courts - to whom our\nEnforcement staff regularly provide data through portable media - require that when data is\nprovided on portable media that it not be encrypted.\n\nFinally, many other financial regulatory agencies have implemented encryption on portable\nmedia in the same manner that the SEC has. We have confirmed that both the Federal\nDeposit Insurance Corporation (FDIC) and the Federal Reserve Bank (FRB) implement their\npolicies such that their staff determines the nature of the data and encrypts appropriately.\nThese agencies do not require all portable media be encrypted, and do not require any\ndivisions or offices to have mandatory encryption, which the SEC\'s policy allows for.\n\nRecommendation 1\n\nThe Office of Information Technology should revise its policy and require   ~all~   portable media is\nencrypted.\n\nRecommendation 2:\n\nOffice of Information Technology should eliminate the option for offices to determine whether\nor not they will encrypt portable media such as thumb drives, CD/DVD, etc.\n\nResponse to Recommendation 1 and Recommendation 2:\n\nFor the reasons explained above, OIT does not concur with these recommendations.\n\nRecommendation 3:\n\nIn the future the Office of Information Technology should encrypt all PDAIBlackberry devices to\nensure the protection of confidential/proprietary/privacy information that may be contained on\nthe devices.\n\nResponse to Recommendation 3:\n\nThe Office of Information Technology concurs with this recommendation. OIT encrypts all\nBlackberry devices.\n\n\n\n\n                                                   2\n\n\n\n\n      Evaluation of the SEC Encryption Program                                       March 26, 2010\n      Report No. 476\n                                                 Page 13\n\x0c                                                                                             Appendix VI\n\n\n       OIG Response to Management\xe2\x80\x99s Comments\n\nOIT did not concur with recommendations 1 and 2, but concurred with\nrecommendation 3. We are pleased that OIT concurred with recommendation 3,\nand provide our response to OIT\xe2\x80\x99s comments regarding recommendations 1 and\n2 as follows.\n\nThe CIO states in the management comments that OIT\xe2\x80\x99s policy to allow a\ndivision or office to opt-out of the automatic encryption of all portable media that\nhas data placed on it from an SEC workstation \xe2\x80\x9creflects the necessity to balance\nthe needs of the business with appropriate safeguarding measures.\xe2\x80\x9d While the\nOIG understands the concern to balance the business needs of the different\noffices and divisions within the SEC, as we discussed in the report, an encryption\nprogram cannot be optional if it wishes to be effective. Human error is a\nsignificant contributor to security incidents and allowing encryption to be optional\ngreatly increases the likelihood that data is compromised. In our view, the only\nway to protect the data is to encrypt all of it. Allowing the policy to be optional\nexposes the Commission to potential breaches in PII and sensitive data\nleakage/loss. 3\n\nAccordingly, we disagree with OIT\xe2\x80\x99s comments and would request that OIT\nreconsider its position and agree to eliminate the option for offices to determine\nwhether or not they will encrypt portable media and in the future encrypt all\nPDA/blackberry devices.\n\n\n\n\n3\n The fact that other agencies may also allow potential exposure to breaches in PII by not requiring that all\nportable media be encrypted is not a reason that the SEC should allow itself to be vulnerable.\n\nEvaluation of the SEC Encryption Program                                                      March 26, 2010\nReport No. 476\n                                                 Page 14\n\x0c                     Audit Requests and Ideas\n\nThe Office of Inspector General welcomes your input. If you would like to\nrequest an audit in the future or have an audit idea, please contact us at:\n\n      U.S. Securities and Exchange Commission\n      Office of Inspector General\n      Attn: Assistant Inspector General, Audits (Audit Request/Idea)\n      100 F Street, N.E.\n      Washington D.C. 20549-2736\n\n      Tel. #: 202-551-6061\n      Fax #: 202-772-9265\n      E-mail: oig@sec.gov\n\n\n\n\n      Hotline\n      To report fraud, waste, abuse, and mismanagement at SEC,\n      contact the Office of Inspector General at:\n\n      Phone: 877.442.0854\n\n      Web-Based Hotline Complaint Form:\n      www.reportlineweb.com/sec_oig\n\x0c'